search

camptocamp / puppet-varnish

Apache License 2.0
36 stars 25 forks source link

varnish: created class varnish::administration #1

Closed ckaenzig closed 13 years ago

ckaenzig commented 13 years ago

This class creates a varnish-admin system group which has sudo rights to manage the varnish service.

mfournier commented 13 years ago

On Wed, Jun 08, 2011 at 01:53:21AM -0700, ckaenzig wrote:

This class creates a varnish-admin system group which has sudo rights to manage the varnish service.

Reply to this email directly or view it on GitHub: https://github.com/camptocamp/puppet-varnish/pull/1

Varnish shouldn't need to get restarted using root privileges, as you can restart the workers (as well as do other administrative stuff) using the varnishadm utility. And except if using a secret file (which we currently don't), any user with shell access to the system can run varnishadm.

Varnish isn't your usual unix daemon. We should learn to use it as it is ment to and refrain from trying to apply the usual admin patterns we are used to.

ckaenzig commented 13 years ago

On 06/08/2011 10:36 PM, mfournier wrote:

On Wed, Jun 08, 2011 at 01:53:21AM -0700, ckaenzig wrote:

This class creates a varnish-admin system group which has sudo rights to manage the varnish service.

Reply to this email directly or view it on GitHub: https://github.com/camptocamp/puppet-varnish/pull/1

Varnish shouldn't need to get restarted using root privileges, as you can restart the workers (as well as do other administrative stuff) using the varnishadm utility.

Ok, I did not know that. I guess it's best to have users use varnishadm then.

And except if using a secret file (which we currently don't), any user with shell access to the system can run varnishadm.

Did not know that either. And I would have expected a big fat warning screaming at my face saying anyone can do anything with varnish (when manually starting varnish, when puppet runs, or something).

I guess we don't use varnish on server with a lot of local users, but that secret file should be enabled by default by puppet in my opinion.

Varnish isn't your usual unix daemon. We should learn to use it as it is ment to and refrain from trying to apply the usual admin patterns we are used to.

Yes, because consistency is bad...

Thanks.

Christian

Christian Kaenzig Camptocamp SA http://www.camptocamp.com/